@ebowwa/hetzner 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/actions.js +721 -439
- package/auth.js +15 -11
- package/bootstrap/cloud-init.js +109 -65
- package/bootstrap/firewall.js +30 -17
- package/bootstrap/genesis.js +89 -71
- package/bootstrap/index.js +31 -7
- package/bootstrap/kernel-hardening.js +10 -6
- package/bootstrap/kernel-hardening.test.js +182 -0
- package/bootstrap/security-audit.js +10 -6
- package/bootstrap/ssh-hardening.js +10 -6
- package/client.js +180 -83
- package/config.js +4 -2
- package/errors.js +183 -108
- package/index.js +57 -12
- package/index.ts +4 -0
- package/onboarding/doppler.ts +116 -0
- package/onboarding/git.ts +133 -0
- package/onboarding/index.ts +18 -0
- package/onboarding/onboarding.ts +193 -0
- package/onboarding/tailscale.ts +159 -0
- package/onboarding/types.ts +115 -0
- package/package.json +6 -1
- package/pricing.js +216 -113
- package/schemas.js +322 -315
- package/server-status.js +122 -0
- package/servers.js +530 -287
- package/ssh-keys.js +153 -63
- package/ssh-setup.js +253 -0
- package/ssh-setup.ts +1 -1
- package/types.js +11 -8
- package/volumes.js +205 -82
package/auth.js
CHANGED
|
@@ -1,15 +1,20 @@
|
|
|
1
|
+
"use strict";
|
|
1
2
|
/**
|
|
2
3
|
* Hetzner authentication utilities
|
|
3
4
|
*/
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.getTokenFromCLI = getTokenFromCLI;
|
|
7
|
+
exports.isAuthenticated = isAuthenticated;
|
|
8
|
+
exports.resolveApiToken = resolveApiToken;
|
|
9
|
+
var node_fs_1 = require("node:fs");
|
|
10
|
+
var node_path_1 = require("node:path");
|
|
11
|
+
var node_os_1 = require("node:os");
|
|
12
|
+
function getTokenFromCLI() {
|
|
8
13
|
try {
|
|
9
|
-
|
|
10
|
-
if (existsSync(configPath)) {
|
|
11
|
-
|
|
12
|
-
|
|
14
|
+
var configPath = (0, node_path_1.join)((0, node_os_1.homedir)(), ".config", "hcloud", "cli.toml");
|
|
15
|
+
if ((0, node_fs_1.existsSync)(configPath)) {
|
|
16
|
+
var config = (0, node_fs_1.readFileSync)(configPath, "utf-8");
|
|
17
|
+
var match = config.match(/token\s*=\s*["']([^"']+)["']/);
|
|
13
18
|
if (match && match[1]) {
|
|
14
19
|
return match[1];
|
|
15
20
|
}
|
|
@@ -20,10 +25,10 @@ export function getTokenFromCLI() {
|
|
|
20
25
|
}
|
|
21
26
|
return "";
|
|
22
27
|
}
|
|
23
|
-
|
|
28
|
+
function isAuthenticated(apiToken) {
|
|
24
29
|
return apiToken.length > 0;
|
|
25
30
|
}
|
|
26
|
-
|
|
31
|
+
function resolveApiToken(explicitToken) {
|
|
27
32
|
if (explicitToken) {
|
|
28
33
|
return explicitToken;
|
|
29
34
|
}
|
|
@@ -32,4 +37,3 @@ export function resolveApiToken(explicitToken) {
|
|
|
32
37
|
}
|
|
33
38
|
return getTokenFromCLI();
|
|
34
39
|
}
|
|
35
|
-
//# sourceMappingURL=auth.js.map
|
package/bootstrap/cloud-init.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
"use strict";
|
|
1
2
|
/**
|
|
2
3
|
* Cloud-Init Bootstrap Generator
|
|
3
4
|
*
|
|
@@ -11,19 +12,33 @@
|
|
|
11
12
|
* 3. SSH Hardening (service-level hardening)
|
|
12
13
|
* 4. Security Audit (verification and reporting)
|
|
13
14
|
*/
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
15
|
+
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
|
|
16
|
+
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
|
|
17
|
+
if (ar || !(i in from)) {
|
|
18
|
+
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
|
|
19
|
+
ar[i] = from[i];
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
return to.concat(ar || Array.prototype.slice.call(from));
|
|
23
|
+
};
|
|
24
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
25
|
+
exports.securityAuditRunCmd = exports.securityAuditWriteFiles = exports.securityAuditPackages = exports.kernelHardeningRunCmd = exports.kernelHardeningWriteFiles = exports.kernelHardeningPackages = exports.generateUFWFirewallForWorker = exports.generateUFWFirewallForGenesis = exports.DEFAULT_UFW_GENESIS_OPTIONS = exports.DEFAULT_UFW_WORKER_OPTIONS = exports.ufwFirewallRunCmd = exports.ufwFirewallWriteFiles = exports.ufwFirewallPackages = exports.sshdHardeningRunCmd = exports.sshdHardeningWriteFiles = exports.sshdHardeningPackages = exports.GenesisBootstrapPresets = exports.generateRemoteGenesisBootstrap = exports.generateGenesisBootstrap = exports.BootstrapPresets = void 0;
|
|
26
|
+
exports.generateSeedBootstrap = generateSeedBootstrap;
|
|
27
|
+
exports.generateRemoteBootstrap = generateRemoteBootstrap;
|
|
28
|
+
var ssh_hardening_1 = require("./ssh-hardening");
|
|
29
|
+
var firewall_1 = require("./firewall");
|
|
30
|
+
var kernel_hardening_1 = require("./kernel-hardening");
|
|
31
|
+
var security_audit_1 = require("./security-audit");
|
|
18
32
|
/**
|
|
19
33
|
* Generate a cloud-init YAML script for seed installation
|
|
20
34
|
*
|
|
21
35
|
* @param options - Bootstrap configuration options
|
|
22
36
|
* @returns Cloud-init YAML string
|
|
23
37
|
*/
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
38
|
+
function generateSeedBootstrap(options) {
|
|
39
|
+
if (options === void 0) { options = {}; }
|
|
40
|
+
var _a = options.seedRepo, seedRepo = _a === void 0 ? "https://github.com/ebowwa/seed" : _a, _b = options.seedBranch, seedBranch = _b === void 0 ? "dev" : _b, _c = options.seedPath, seedPath = _c === void 0 ? "/root/seed" : _c, _d = options.runSetup, runSetup = _d === void 0 ? true : _d, _e = options.setupEnv, setupEnv = _e === void 0 ? {} : _e, _f = options.packages, packages = _f === void 0 ? [] : _f, _g = options.additionalCommands, additionalCommands = _g === void 0 ? [] : _g, _h = options.enableSecurity, enableSecurity = _h === void 0 ? true : _h;
|
|
41
|
+
var lines = [];
|
|
27
42
|
// Cloud-config header
|
|
28
43
|
lines.push("#cloud-config");
|
|
29
44
|
lines.push("");
|
|
@@ -43,26 +58,27 @@ export function generateSeedBootstrap(options = {}) {
|
|
|
43
58
|
// Security Module 1: UFW Firewall packages
|
|
44
59
|
if (enableSecurity) {
|
|
45
60
|
lines.push(" # Security: UFW Firewall");
|
|
46
|
-
lines.push(
|
|
61
|
+
lines.push.apply(lines, (0, firewall_1.ufwFirewallPackages)());
|
|
47
62
|
}
|
|
48
63
|
// Security Module 2: Kernel hardening packages
|
|
49
64
|
if (enableSecurity) {
|
|
50
65
|
lines.push(" # Security: Kernel hardening");
|
|
51
|
-
lines.push(
|
|
66
|
+
lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningPackages)());
|
|
52
67
|
}
|
|
53
68
|
// Security Module 3: SSH hardening packages (fail2ban)
|
|
54
69
|
if (enableSecurity) {
|
|
55
70
|
lines.push(" # Security: SSH hardening");
|
|
56
|
-
lines.push(
|
|
71
|
+
lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningPackages)());
|
|
57
72
|
}
|
|
58
73
|
// Security Module 4: Security audit packages (lynis)
|
|
59
74
|
if (enableSecurity) {
|
|
60
75
|
lines.push(" # Security: Security audit");
|
|
61
|
-
lines.push(
|
|
76
|
+
lines.push.apply(lines, (0, security_audit_1.securityAuditPackages)());
|
|
62
77
|
}
|
|
63
78
|
// Add additional packages
|
|
64
|
-
for (
|
|
65
|
-
|
|
79
|
+
for (var _i = 0, packages_1 = packages; _i < packages_1.length; _i++) {
|
|
80
|
+
var pkg = packages_1[_i];
|
|
81
|
+
lines.push(" - ".concat(pkg));
|
|
66
82
|
}
|
|
67
83
|
lines.push("");
|
|
68
84
|
// Status tracking file
|
|
@@ -93,22 +109,22 @@ export function generateSeedBootstrap(options = {}) {
|
|
|
93
109
|
// Security Module 1: UFW Firewall configuration files
|
|
94
110
|
if (enableSecurity) {
|
|
95
111
|
lines.push(" # Security Module 1: UFW Firewall configuration");
|
|
96
|
-
lines.push(
|
|
112
|
+
lines.push.apply(lines, (0, firewall_1.ufwFirewallWriteFiles)(firewall_1.DEFAULT_UFW_WORKER_OPTIONS));
|
|
97
113
|
}
|
|
98
114
|
// Security Module 2: Kernel hardening configuration files
|
|
99
115
|
if (enableSecurity) {
|
|
100
116
|
lines.push(" # Security Module 2: Kernel hardening");
|
|
101
|
-
lines.push(
|
|
117
|
+
lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningWriteFiles)());
|
|
102
118
|
}
|
|
103
119
|
// Security Module 3: SSH hardening configuration files
|
|
104
120
|
if (enableSecurity) {
|
|
105
121
|
lines.push(" # Security Module 3: SSH hardening");
|
|
106
|
-
lines.push(
|
|
122
|
+
lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningWriteFiles)());
|
|
107
123
|
}
|
|
108
124
|
// Security Module 4: Security audit script
|
|
109
125
|
if (enableSecurity) {
|
|
110
126
|
lines.push(" # Security Module 4: Security audit");
|
|
111
|
-
lines.push(
|
|
127
|
+
lines.push.apply(lines, (0, security_audit_1.securityAuditWriteFiles)());
|
|
112
128
|
}
|
|
113
129
|
// Node-agent systemd service
|
|
114
130
|
lines.push(" # Node-agent systemd service for Ralph Loop orchestration");
|
|
@@ -125,9 +141,9 @@ export function generateSeedBootstrap(options = {}) {
|
|
|
125
141
|
lines.push(" [Service]");
|
|
126
142
|
lines.push(" Type=simple");
|
|
127
143
|
lines.push(" User=root");
|
|
128
|
-
lines.push(
|
|
144
|
+
lines.push(" WorkingDirectory=".concat(seedPath, "/node-agent"));
|
|
129
145
|
lines.push(" ExecStart=/root/.bun/bin/bun run src/index.ts");
|
|
130
|
-
lines.push(
|
|
146
|
+
lines.push(" EnvironmentFile=-".concat(seedPath, "/node-agent/.env"));
|
|
131
147
|
lines.push(" Environment=PORT=8911");
|
|
132
148
|
lines.push(" Restart=always");
|
|
133
149
|
lines.push(" RestartSec=10");
|
|
@@ -158,55 +174,59 @@ export function generateSeedBootstrap(options = {}) {
|
|
|
158
174
|
lines.push(" - ln -sf /root/.bun/bin/bun /root/.bun/bin/node # Create 'node' symlink to bun");
|
|
159
175
|
lines.push("");
|
|
160
176
|
// Clone seed repository
|
|
161
|
-
lines.push(
|
|
162
|
-
lines.push(
|
|
177
|
+
lines.push(" # Clone seed repository");
|
|
178
|
+
lines.push(" - git clone --depth 1 --branch ".concat(seedBranch, " ").concat(seedRepo, " ").concat(seedPath));
|
|
163
179
|
lines.push("");
|
|
164
180
|
if (runSetup) {
|
|
165
181
|
// Build environment variables
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
182
|
+
var envVars = __spreadArray(["NONINTERACTIVE=1"], Object.entries(setupEnv).map(function (_a) {
|
|
183
|
+
var k = _a[0], v = _a[1];
|
|
184
|
+
return "".concat(k, "=").concat(v);
|
|
185
|
+
}), true);
|
|
186
|
+
var envString = envVars.join(" ");
|
|
187
|
+
lines.push(" # Run seed setup non-interactively");
|
|
188
|
+
lines.push(" - cd ".concat(seedPath, " && ").concat(envString, " bash ./setup.sh 2>&1 | tee /var/log/seed-setup.log"));
|
|
170
189
|
lines.push("");
|
|
171
190
|
// Create completion marker
|
|
172
|
-
lines.push(
|
|
173
|
-
lines.push(
|
|
191
|
+
lines.push(" # Mark setup complete");
|
|
192
|
+
lines.push(" - touch ".concat(seedPath, "/.seed-setup-complete"));
|
|
174
193
|
lines.push("");
|
|
175
194
|
}
|
|
176
195
|
// Additional commands
|
|
177
196
|
if (additionalCommands.length > 0) {
|
|
178
|
-
lines.push(
|
|
179
|
-
for (
|
|
180
|
-
|
|
197
|
+
lines.push(" # Additional custom commands");
|
|
198
|
+
for (var _j = 0, additionalCommands_1 = additionalCommands; _j < additionalCommands_1.length; _j++) {
|
|
199
|
+
var cmd = additionalCommands_1[_j];
|
|
200
|
+
lines.push(" - ".concat(cmd));
|
|
181
201
|
}
|
|
182
202
|
lines.push("");
|
|
183
203
|
}
|
|
184
204
|
// Security Module 1: UFW Firewall activation (runs first)
|
|
185
205
|
if (enableSecurity) {
|
|
186
206
|
lines.push(" # Security Module 1: Activate UFW Firewall");
|
|
187
|
-
lines.push(
|
|
207
|
+
lines.push.apply(lines, (0, firewall_1.ufwFirewallRunCmd)(firewall_1.DEFAULT_UFW_WORKER_OPTIONS));
|
|
188
208
|
}
|
|
189
209
|
// Security Module 2: Kernel hardening activation
|
|
190
210
|
if (enableSecurity) {
|
|
191
211
|
lines.push(" # Security Module 2: Apply kernel hardening");
|
|
192
|
-
lines.push(
|
|
212
|
+
lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningRunCmd)());
|
|
193
213
|
}
|
|
194
214
|
// Security Module 3: SSH hardening activation
|
|
195
215
|
if (enableSecurity) {
|
|
196
216
|
lines.push(" # Security Module 3: Activate SSH hardening");
|
|
197
|
-
lines.push(
|
|
217
|
+
lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningRunCmd)());
|
|
198
218
|
}
|
|
199
219
|
// Security Module 4: Security audit (runs last)
|
|
200
220
|
if (enableSecurity) {
|
|
201
221
|
lines.push(" # Security Module 4: Run security audit");
|
|
202
|
-
lines.push(
|
|
222
|
+
lines.push.apply(lines, (0, security_audit_1.securityAuditRunCmd)());
|
|
203
223
|
}
|
|
204
224
|
// Mark bootstrap complete
|
|
205
|
-
lines.push(
|
|
206
|
-
lines.push(
|
|
207
|
-
lines.push(
|
|
225
|
+
lines.push(" # Mark bootstrap complete");
|
|
226
|
+
lines.push(" - echo \"status=complete\" >> /root/.bootstrap-status");
|
|
227
|
+
lines.push(" - echo \"completed_at=$(date -Iseconds)\" >> /root/.bootstrap-status");
|
|
208
228
|
if (enableSecurity) {
|
|
209
|
-
lines.push(
|
|
229
|
+
lines.push(" - echo \"security_hardening=applied\" >> /root/.bootstrap-status");
|
|
210
230
|
}
|
|
211
231
|
lines.push("");
|
|
212
232
|
lines.push(" # Start node-agent service");
|
|
@@ -224,56 +244,80 @@ export function generateSeedBootstrap(options = {}) {
|
|
|
224
244
|
* @param url - URL to fetch the cloud-init config from
|
|
225
245
|
* @returns Cloud-init YAML string with #include directive
|
|
226
246
|
*/
|
|
227
|
-
|
|
228
|
-
return
|
|
247
|
+
function generateRemoteBootstrap(url) {
|
|
248
|
+
return "#include\n".concat(url);
|
|
229
249
|
}
|
|
230
250
|
/**
|
|
231
251
|
* Bootstrap configuration presets for common scenarios
|
|
232
252
|
*/
|
|
233
|
-
|
|
253
|
+
exports.BootstrapPresets = {
|
|
234
254
|
/**
|
|
235
255
|
* Default seed installation with setup.sh and full security hardening
|
|
236
256
|
*/
|
|
237
|
-
default: ()
|
|
257
|
+
default: function () { return generateSeedBootstrap(); },
|
|
238
258
|
/**
|
|
239
259
|
* Seed installation with full security hardening and verbose logging
|
|
240
260
|
*/
|
|
241
|
-
secure: ()
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
261
|
+
secure: function () {
|
|
262
|
+
return generateSeedBootstrap({
|
|
263
|
+
setupEnv: {
|
|
264
|
+
DEBUG: "1",
|
|
265
|
+
VERBOSE: "1",
|
|
266
|
+
},
|
|
267
|
+
});
|
|
268
|
+
},
|
|
247
269
|
/**
|
|
248
270
|
* Seed installation without running setup.sh (useful for debugging)
|
|
249
271
|
*/
|
|
250
|
-
cloneOnly: ()
|
|
272
|
+
cloneOnly: function () { return generateSeedBootstrap({ runSetup: false }); },
|
|
251
273
|
/**
|
|
252
274
|
* Development bootstrap without security hardening (for testing)
|
|
253
275
|
*/
|
|
254
|
-
development: ()
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
276
|
+
development: function () {
|
|
277
|
+
return generateSeedBootstrap({
|
|
278
|
+
enableSecurity: false,
|
|
279
|
+
packages: ["htop", "vim", "strace"],
|
|
280
|
+
});
|
|
281
|
+
},
|
|
258
282
|
/**
|
|
259
283
|
* Verbose bootstrap with logging enabled
|
|
260
284
|
*/
|
|
261
|
-
verbose: ()
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
285
|
+
verbose: function () {
|
|
286
|
+
return generateSeedBootstrap({
|
|
287
|
+
setupEnv: {
|
|
288
|
+
DEBUG: "1",
|
|
289
|
+
VERBOSE: "1",
|
|
290
|
+
},
|
|
291
|
+
});
|
|
292
|
+
},
|
|
267
293
|
};
|
|
268
294
|
// Re-export Genesis bootstrap functions
|
|
269
|
-
|
|
295
|
+
var genesis_1 = require("./genesis");
|
|
296
|
+
Object.defineProperty(exports, "generateGenesisBootstrap", { enumerable: true, get: function () { return genesis_1.generateGenesisBootstrap; } });
|
|
297
|
+
Object.defineProperty(exports, "generateRemoteGenesisBootstrap", { enumerable: true, get: function () { return genesis_1.generateRemoteGenesisBootstrap; } });
|
|
298
|
+
Object.defineProperty(exports, "GenesisBootstrapPresets", { enumerable: true, get: function () { return genesis_1.GenesisBootstrapPresets; } });
|
|
270
299
|
// Re-export SSH hardening components so callers can compose custom
|
|
271
300
|
// cloud-init scripts with hardening baked in (e.g. for non-standard node types)
|
|
272
|
-
|
|
301
|
+
var ssh_hardening_2 = require("./ssh-hardening");
|
|
302
|
+
Object.defineProperty(exports, "sshdHardeningPackages", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningPackages; } });
|
|
303
|
+
Object.defineProperty(exports, "sshdHardeningWriteFiles", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningWriteFiles; } });
|
|
304
|
+
Object.defineProperty(exports, "sshdHardeningRunCmd", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningRunCmd; } });
|
|
273
305
|
// Re-export UFW firewall components
|
|
274
|
-
|
|
306
|
+
var firewall_2 = require("./firewall");
|
|
307
|
+
Object.defineProperty(exports, "ufwFirewallPackages", { enumerable: true, get: function () { return firewall_2.ufwFirewallPackages; } });
|
|
308
|
+
Object.defineProperty(exports, "ufwFirewallWriteFiles", { enumerable: true, get: function () { return firewall_2.ufwFirewallWriteFiles; } });
|
|
309
|
+
Object.defineProperty(exports, "ufwFirewallRunCmd", { enumerable: true, get: function () { return firewall_2.ufwFirewallRunCmd; } });
|
|
310
|
+
Object.defineProperty(exports, "DEFAULT_UFW_WORKER_OPTIONS", { enumerable: true, get: function () { return firewall_2.DEFAULT_UFW_WORKER_OPTIONS; } });
|
|
311
|
+
Object.defineProperty(exports, "DEFAULT_UFW_GENESIS_OPTIONS", { enumerable: true, get: function () { return firewall_2.DEFAULT_UFW_GENESIS_OPTIONS; } });
|
|
312
|
+
Object.defineProperty(exports, "generateUFWFirewallForGenesis", { enumerable: true, get: function () { return firewall_2.generateUFWFirewallForGenesis; } });
|
|
313
|
+
Object.defineProperty(exports, "generateUFWFirewallForWorker", { enumerable: true, get: function () { return firewall_2.generateUFWFirewallForWorker; } });
|
|
275
314
|
// Re-export kernel hardening components
|
|
276
|
-
|
|
315
|
+
var kernel_hardening_2 = require("./kernel-hardening");
|
|
316
|
+
Object.defineProperty(exports, "kernelHardeningPackages", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningPackages; } });
|
|
317
|
+
Object.defineProperty(exports, "kernelHardeningWriteFiles", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningWriteFiles; } });
|
|
318
|
+
Object.defineProperty(exports, "kernelHardeningRunCmd", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningRunCmd; } });
|
|
277
319
|
// Re-export security audit components
|
|
278
|
-
|
|
279
|
-
|
|
320
|
+
var security_audit_2 = require("./security-audit");
|
|
321
|
+
Object.defineProperty(exports, "securityAuditPackages", { enumerable: true, get: function () { return security_audit_2.securityAuditPackages; } });
|
|
322
|
+
Object.defineProperty(exports, "securityAuditWriteFiles", { enumerable: true, get: function () { return security_audit_2.securityAuditWriteFiles; } });
|
|
323
|
+
Object.defineProperty(exports, "securityAuditRunCmd", { enumerable: true, get: function () { return security_audit_2.securityAuditRunCmd; } });
|
package/bootstrap/firewall.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
"use strict";
|
|
1
2
|
/**
|
|
2
3
|
* UFW Firewall Cloud-Init Components
|
|
3
4
|
*
|
|
@@ -24,10 +25,17 @@
|
|
|
24
25
|
* - Tailscale (41641): allowed for VPN
|
|
25
26
|
* - Logging: enabled with rate limiting to prevent log flooding
|
|
26
27
|
*/
|
|
28
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
29
|
+
exports.DEFAULT_UFW_WORKER_OPTIONS = exports.DEFAULT_UFW_GENESIS_OPTIONS = void 0;
|
|
30
|
+
exports.ufwFirewallPackages = ufwFirewallPackages;
|
|
31
|
+
exports.ufwFirewallWriteFiles = ufwFirewallWriteFiles;
|
|
32
|
+
exports.ufwFirewallRunCmd = ufwFirewallRunCmd;
|
|
33
|
+
exports.generateUFWFirewallForGenesis = generateUFWFirewallForGenesis;
|
|
34
|
+
exports.generateUFWFirewallForWorker = generateUFWFirewallForWorker;
|
|
27
35
|
/**
|
|
28
36
|
* Default firewall options for Genesis control plane servers.
|
|
29
37
|
*/
|
|
30
|
-
|
|
38
|
+
exports.DEFAULT_UFW_GENESIS_OPTIONS = {
|
|
31
39
|
allowSSHFrom: [], // Empty = allow from anywhere
|
|
32
40
|
allowHTTP: true,
|
|
33
41
|
allowHTTPS: true,
|
|
@@ -37,7 +45,7 @@ export const DEFAULT_UFW_GENESIS_OPTIONS = {
|
|
|
37
45
|
/**
|
|
38
46
|
* Default firewall options for worker/seed servers.
|
|
39
47
|
*/
|
|
40
|
-
|
|
48
|
+
exports.DEFAULT_UFW_WORKER_OPTIONS = {
|
|
41
49
|
allowSSHFrom: [], // Empty = allow from anywhere
|
|
42
50
|
allowHTTP: false,
|
|
43
51
|
allowHTTPS: false,
|
|
@@ -50,7 +58,7 @@ export const DEFAULT_UFW_WORKER_OPTIONS = {
|
|
|
50
58
|
*
|
|
51
59
|
* - ufw: Uncomplicated Firewall interface to iptables/nftables
|
|
52
60
|
*/
|
|
53
|
-
|
|
61
|
+
function ufwFirewallPackages() {
|
|
54
62
|
return [
|
|
55
63
|
" - ufw",
|
|
56
64
|
];
|
|
@@ -72,8 +80,9 @@ export function ufwFirewallPackages() {
|
|
|
72
80
|
* - ICMP redirect protection
|
|
73
81
|
* - Log martian packets
|
|
74
82
|
*/
|
|
75
|
-
|
|
76
|
-
|
|
83
|
+
function ufwFirewallWriteFiles(options) {
|
|
84
|
+
if (options === void 0) { options = {}; }
|
|
85
|
+
var lines = [];
|
|
77
86
|
// 1. UFW before.rules - stateful firewall rules applied before UFW rules
|
|
78
87
|
lines.push(" # UFW before.rules - stateful firewall and network security");
|
|
79
88
|
lines.push(" - path: /etc/ufw/before.rules");
|
|
@@ -167,9 +176,10 @@ export function ufwFirewallWriteFiles(options = {}) {
|
|
|
167
176
|
* 8. Enable and reload UFW
|
|
168
177
|
* 9. Display firewall status
|
|
169
178
|
*/
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
179
|
+
function ufwFirewallRunCmd(options) {
|
|
180
|
+
if (options === void 0) { options = {}; }
|
|
181
|
+
var _a = options.allowSSHFrom, allowSSHFrom = _a === void 0 ? [] : _a, _b = options.allowHTTP, allowHTTP = _b === void 0 ? true : _b, _c = options.allowHTTPS, allowHTTPS = _c === void 0 ? true : _c, _d = options.allowNodeAgent, allowNodeAgent = _d === void 0 ? false : _d, _e = options.additionalPorts, additionalPorts = _e === void 0 ? [] : _e, _f = options.verboseLogging, verboseLogging = _f === void 0 ? false : _f;
|
|
182
|
+
var lines = [];
|
|
173
183
|
lines.push(" # UFW Firewall: Configure and enable secure firewall");
|
|
174
184
|
lines.push("");
|
|
175
185
|
// Set default policies
|
|
@@ -191,8 +201,9 @@ export function ufwFirewallRunCmd(options = {}) {
|
|
|
191
201
|
}
|
|
192
202
|
else {
|
|
193
203
|
// Allow SSH from specific IPs/CIDRs
|
|
194
|
-
for (
|
|
195
|
-
|
|
204
|
+
for (var _i = 0, allowSSHFrom_1 = allowSSHFrom; _i < allowSSHFrom_1.length; _i++) {
|
|
205
|
+
var source = allowSSHFrom_1[_i];
|
|
206
|
+
lines.push(" - ufw allow from ".concat(source, " to any port 22 proto tcp comment 'SSH from ").concat(source, "'"));
|
|
196
207
|
}
|
|
197
208
|
}
|
|
198
209
|
lines.push("");
|
|
@@ -220,10 +231,11 @@ export function ufwFirewallRunCmd(options = {}) {
|
|
|
220
231
|
// Additional ports
|
|
221
232
|
if (additionalPorts.length > 0) {
|
|
222
233
|
lines.push(" # Additional custom ports");
|
|
223
|
-
for (
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
234
|
+
for (var _g = 0, additionalPorts_1 = additionalPorts; _g < additionalPorts_1.length; _g++) {
|
|
235
|
+
var portConfig = additionalPorts_1[_g];
|
|
236
|
+
var protocol = portConfig.protocol || "tcp";
|
|
237
|
+
var comment = portConfig.comment || "Custom port ".concat(portConfig.port);
|
|
238
|
+
lines.push(" - ufw allow ".concat(portConfig.port, "/").concat(protocol, " comment '").concat(comment, "'"));
|
|
227
239
|
}
|
|
228
240
|
lines.push("");
|
|
229
241
|
}
|
|
@@ -256,7 +268,8 @@ export function ufwFirewallRunCmd(options = {}) {
|
|
|
256
268
|
* @param options - UFW firewall options (uses DEFAULT_UFW_GENESIS_OPTIONS if not provided)
|
|
257
269
|
* @returns Object with packages, writeFiles, and runCmd arrays
|
|
258
270
|
*/
|
|
259
|
-
|
|
271
|
+
function generateUFWFirewallForGenesis(options) {
|
|
272
|
+
if (options === void 0) { options = exports.DEFAULT_UFW_GENESIS_OPTIONS; }
|
|
260
273
|
return {
|
|
261
274
|
packages: ufwFirewallPackages(),
|
|
262
275
|
writeFiles: ufwFirewallWriteFiles(options),
|
|
@@ -269,11 +282,11 @@ export function generateUFWFirewallForGenesis(options = DEFAULT_UFW_GENESIS_OPTI
|
|
|
269
282
|
* @param options - UFW firewall options (uses DEFAULT_UFW_WORKER_OPTIONS if not provided)
|
|
270
283
|
* @returns Object with packages, writeFiles, and runCmd arrays
|
|
271
284
|
*/
|
|
272
|
-
|
|
285
|
+
function generateUFWFirewallForWorker(options) {
|
|
286
|
+
if (options === void 0) { options = exports.DEFAULT_UFW_WORKER_OPTIONS; }
|
|
273
287
|
return {
|
|
274
288
|
packages: ufwFirewallPackages(),
|
|
275
289
|
writeFiles: ufwFirewallWriteFiles(options),
|
|
276
290
|
runCmd: ufwFirewallRunCmd(options),
|
|
277
291
|
};
|
|
278
292
|
}
|
|
279
|
-
//# sourceMappingURL=firewall.js.map
|